Mission Critical Security Planner

Kerberos99 writes "Mission Critical Security Planner is a timely and important book from Eric Greenberg, author of Network Application Frameworks (reviewed on Slashdot and used as a text in many CS courses). In Mission Critical Security Planner (MCSP),Greenberg advocates an actionable, meaningful security approach that doesn't get hung up on methodology or reliance on abstract standards, like DoD and other common standards." Read on for the rest of Kerberos99's review. Mission Critical Security Planner author Eric Greenberg pages 416 publisher Wiley rating 9.5 reviewer Kerberos99 ISBN 0471211656 summary Provides an innovative approach to create a customized security improvement plan, including analyzing needs, justifying budgets, and selecting technology, while reducing time and cost.

Greenberg delights in skewering bureaucracies that believe planning and methodology is an end in itself, yet recognizes key business realities facing security advocates and suggests practical approaches to "selling security" within an organization -- an important topic given tight or shrinking budgets.

Greenberg is clearly a security guy and writes with experience and authority -- at times the style is conversational and humorous and at others professorial -- it is a good read for a security-focused text. While providing a strong overview of sound security planning and risk management concepts, MCSP also digs down and provides details where it counts regarding filters, proxies, IDS/VA, configuration management, content management (ActiveX, etc), and so forth yet consistently presents this low-level detail within the framework of an actionable security planning methodology that will be relevant five or even ten years from now. MCSP is anything but a security cookbook of technology discussions gleaned from public sources, although many basic concepts and topics are explained in the book's comprehensive glossary. Instead, the book presents the strengths and weaknesses of various technologies and approaches as they relate to the security improvement process.

MCSP utilizes a sequence of sophisticated worksheets to guide the reader through the security planning process and create a dynamic, actionable security plan -- not a plan that lives on the shelf. Using Greenberg's approach there are three components to the Security Plan: Security Stack (physical, network, application, OS), Life-Cycle Stack (technology selection, implementation, operations, incident response), and Business (information, infrastructure, people). Interestingly, you may have noticed that the Security Stack is similar to the OSI model -- this is typical of the rational and logical approach throughout the book. Using the worksheet approach as a guide, the Security Plan is mapped to 28 pre-defined security elements addressing the core security planning challenges of a distributed computing environment. Based on the worksheets, the impact analysis method approach provides a readily understandable plan that reflects the specific business, technical, and lifecycle tradeoffs in your organization.

Greenberg keeps it interesting with many anecdotes illustrating key points and thought-provoking arguments. For example, he advocates an approach that will hold vendors accountable for poor security by providing a quantifiable method for business software users to track security. The final chapter covers strategic security planning with PKI and provides a roadmap for selling an organization on the benefits of PKI when appropriate.

MCSP is an innovative and useful security book. The book provides security staffers and planners with the logical framework and tools they need to create a comprehensive, living, and actionable security plan enabling the organization to shift from a reactive security posture to a more pro-active approach. Highly recommended.

Online reader resources are available and chapter one maybe downloaded from http://www.criticalsecurity.com.

Table of Contents

• Chapter 1: Setting the Stage For Successful Security Planning.
• Chapter 2: A Security Plan That Works
• Chapter 3: Using the Security Plan Worksheets: The Fundamentals
• Chapter 4: Using the Security Plan Worksheets: The Remaining Core and Wrap-Up Elements
• Chapter 5: Strategic Security Planning with PKI
• Chapter 6: Ahead of the Hacker: Best Practices and a View of the Future

You can purchase Mission Critical Security Planner from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Security Basics

[Qzukk]

How good is this at covering the basics of the hazy cloud that is "real" security, both against online attacks and social engineering?

I'm currently at the level of "if it passes [insert_attack_script] its safe" but would like to learn how to get past that. I can competently secure a given box, but I think attempting a mid to large size network would be a "learning experience" (read: disaster) for me.

Any suggestions?

quantitative results on security measures ?

[Random+Walk]

The thing I would be most interested in would be some solid, quantitative data on the success/usefulness of various types of security software/solutions (like firewalls, IDSs, etc.).

Like, what percentage of attacks are actually prevented by such measures ? E.g., how many sites have been protected from the SQL Slammer worm by their firewall, and on how many sites has the firewall failed, and why ?

Despite the flood of publications entering the market, I have never seen any in-depth discussion of quantifyable merits of security software. Usually the argument for investments into security is that you will save the cost caused by incidents (so the hidden assumption seems to be that the measures taken will be 100 per cent effective ?). Does this book provide any more insight ?

Re:quantitative results on security measures ?

[BigBadBri]

It's not so much the security measures, as how they are implemented.

For instance, a sensibly configured (deny all except what is expressly required) firewall would have stopped the SQL Slammer worm, but wouldn't necessarily work against an attack launched against port 80, for example.
Good network security, as with good physical security, requires a certain element of paranoia - simply sticking a firewall in front of a box will not guarantee security.
You ask why a firewall would fail in the case of SQL Slammer.
There are two possible scenarios - explicitly allowing port 1434 connections would be one, misconfiguration would be the other.

I don't have numbers, but would say that anyone with a firewall that got affected by SQL Slammer should seriously question their firewall policy and possibly kill the admin responsible.

It's not software/features, it's the process

and that is the point of this book. Security is a process/plan, not a software feature. A firewall could have prented the SQL Slammer. Then again, a firewall could not have prevented the SQL Slammer worm. The difference is whether or not the IT folks knew how to configure the firewall to meet their needs (in this case of the SQL worm, they didn't configure it on port 1434 or in general because clearly most just had a default setup of some kind). Furthermore, the use of software like Microsoft SQL and its related components (MSDE, etc) is a planning issue as it relates to security-- companies don't even know what the have installed and if they have installed it, they have no process to assess their (in)security. This book drives at the heart of that whole debate and tries hard to provide a workable process. How do you plan, for an organization overall, for proper configuration of what you do deploy? How do you convince people to use an IDS and if you do, how to you assure success (e.g. the author discusses the relationship between IDS's and vulnerability analysis)? If you get a book that simply gets quantitative on different software features (e.g. IDS, VA, firewall), it might not be very helpful. What would be helpful is how you plan and use this software. That's what this book helps with.